Guest Network using Unifi AP and Meraki Z3

djmaquet
New here

Guest Network using Unifi AP and Meraki Z3

I have a restaurant with a network consisting of a Meraki Z3 and 5 Unifi PRO AP's.  This is hardware that was provided by my POS company, of which I have taken over network support.  I have a guest network SSID created on the APs through the Unifi cloud controller.  The Wireless networks are non-existent in the Meraki dashboard.  I want to create a different subnet so customers can't access my LAN, and so I don't run out of available IP addresses.  I have over 100 reserved for my POS system, printers, Smart TVs, etc.

 

I can't set up a Meraki Guest network on an SSID because it currently shows no active SSIDs.  If I do it on the Unifi controller, I'm pretty sure it won't work since the Meraki is handling all of the IP addresses.  

 

Does anyone have any suggestions on the best way to set this up?  Maybe a VLAN (but on the Meraki or on the Unifi controller?).

 

 

12 Replies 12
NolanHerring
Kind of a big deal

I'm not sure the Z3 is the right product for your situation, but I've never messed with one so maybe someone else knows something I don't.

You'd be better off getting an MX for the location to handle all dhcp/routing/vlans/dns etc., and the Unifi APs just doing AP stuff, getting dropped off onto a VLAN for management, and the SSID for CORP and SSID for GUEST being different. The connection for the AP's to the switch should be trunk mode. What switch do you have in the mix?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
djmaquet
New here

The meraki is just plugged into a Netgear ProSafe GS728TP PoE switch..nothing special.  I'm not a network guy, just wondering if there was something simple I could do with what I have.  If I go another route, I will likely switch over to Ubiquiti.

kYutobi
Kind of a big deal

As @NolanHerring said the Z3 might not be what you need. Unless you're gonna split SSID's by VLAN which I know you said you're not a network guy and I'm not too sure about what that Netgear is capable of but try not to overcomplicate it by doing anything over the top as far as configs.

Enthusiast
djmaquet
New here

Thanks...the Z3 has the capability I believe. Just not sure how to set it up since the APs are really only broadcasting the SSID. But they don't show up in the wireless network settings on the Meraki.
NolanHerring
Kind of a big deal

Yeah the Ubiquiti access points won't show up on Meraki dashboard at all since its a different vendor etc. You might see client data on the Z3 once they hit it but that is about it. All wireless configs you'll need to do on the unifi controller
Nolan Herring | nolanwifi.com
TwitterLinkedIn
SoCalRacer
Kind of a big deal

I have done this with a MX and Unifi, but it should work similar with a Z3

 

You need to create a Guest VLAN in the Z3. I use VLAN 10 and then 10.10.10.0/24 typically (DHCP is auto on)

Then go into Unifi controller, go under settings, then networks. Create a new network (VLAN)

Below are the settings I use most of the time. 10.10.10.1 is the MX/Z3 IP for the VLAN you created

 

SoCalRacer_0-1575474032060.png

 

djmaquet
New here

Can you show me the VLAN settings in your Merkaki? is 10.10.10.0/24 the subnet or the MX IP?
djmaquet
New here

I set it up like that, rebooted and nothing would connect to my Guest Network. Did you have guest policies enabled or do you have a Guest Group created to limit bandwidth?
SoCalRacer
Kind of a big deal

SoCalRacer_0-1575476117714.png

 

No but in this situation there is a dumb switch between the AP and the MX, so you may need to tag the port the AP is using on your smart switch 

Nash
Kind of a big deal

It sounds like you go Z3 -> Netgear switch -> APs. Is that correct?

 

If so, did you run vlans on your Netgear switch as well as on the Z3? Netgear has some okay instructions, and iirc that model ought to support vlans if you can log into the switch to manage it.

 

If you don't have creds for the switch, try the default. If that fails you, there's always factory reset and rebuild. If you're not comfortable with networking, you maybe don't want to do that.

Uberseehandel
Kind of a big deal

It is a good idea not to mix the sheep with the goats.

 

I have a heterogenic network stack made up of a melange of Meraki and UniFi kit.

There are 3 security appliances (1 x MX, 1 x Z3C, 1 x UniFi USG).

 

The network schema is analagous to an onion with differing layers (onion skins) wrapped around each other.

Each security appliance controls its own switches and WiFi APs. Each security appliance has its own autonomous WiFi subsystem with separate secure and Guest SSIDs. Guest SSIDs are configured as isolated and pass guest originated traffic through to the internet whilst preventing guest users from accessing any local networks and devices, or other guest users.

 

This sounds more complicated than it is, it is solid and survives month in, month out, without maintenance. Which isn't to say that I don't weed out abusive guest users from time to time.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
MerakiGeoff
Meraki Employee
Meraki Employee

Hi there,

 

The Z3 is really meant to be used as a teleworker gateway device at home or when traveling so you can connect to it and have a VPN tunnel back to a VPN head-end at a datacenter and access company resources. It is meant for up to 5 clients - your phone, laptop, maybe a tablet. It's not meant to be an edge device or firewall for a substantial network. Depending on how many client devices you're needing to support on the network, you'd be better off with an MX64/65/67/68 (up to 50 clients) or MX84 (up to 200 clients) if you're planning for growth. The MXs are more expensive than the Z3, but are 100% better suited to be an edge firewall. It sounds like you have over 100 devices so an MX84 should be the ticket.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels